Is it possible to intercept functions in linked libraries?

With EasyHook you can connect any subroutine whose address can be calculated.

In my case, connecting the static linked SSL_read and SSL_write to OpenSSL was as simple as detecting offsets with my favorite debugger, and then setting the hooks.

// delegate for EasyHook: [UnmanagedFunctionPointer(CallingConvention.Cdecl, SetLastError = true, CharSet = CharSet.Ansi)] delegate Int32 SLL_readDelegate(IntPtr SSL_ptr, IntPtr buffer, Int32 length); // import SSL_read (I actually did it manually, but this will work in most cases) /* proto from ssl_lib.c -> int SSL_read(SSL *s,void *buf,int num) */ [DllImport("ssleay32.dll", SetLastError = true)] public static extern Int32 SSL_read(IntPtr ssl, IntPtr buffer, Int32 len); // the new routine static Int32 SSL_readCallback(IntPtr SSL_ptr, IntPtr buffer, Int32 length) { /* call the imported SSL_read */ int ret = SSL_read(SSL_ptr, buffer, length); /* TODO: your code here, eg: * string log_me = Marshal.PtrToString(buffer, ret); */ return ret; } 

Now all that remains is to set the hook:

 private LocalHook sslReadHook; public void Run(RemoteHooking.IContext InContext, String InArg1) { // ... initialization code omitted for brevity /* the value for ssl_read_addr is made up in this example * you'll need to study your target and how it loaded(?) to * identify the addresses you want to hook */ int ssl_read_addr = 0x12345678; /* made up for examples sake */ sslReadHook = LocalHook.Create(new IntPtr(ssl_read_addr), new SSL_readDelegate(SSL_readCallback), this); // ... } 

I should mention that in this example you will need libeay32.dll and ssleay32.dll, since the latter depends on the former.

Happy connection!